From:
Newsgroups: sci.crypt
Subject: MD5 discussion
Date: 11 Jun 1996 14:22:03 GMT
Organization: CompuServe Incorporated
Lines: 38
Message-ID: <4pjvec$1c6@dub-news-svc-4.compuserve.com>
NNTP-Posting-Host: hd43-009.compuserve.com
Content-Type: text/plain
Keywords: MD5
Content-length: 2222
X-Newsreader: AIR Mosaic (16-bit) version 3.10.08.25
In view of the continuing discussion about MD5, I want to make a few comments,
which hopefully can help to avoid some misunderstandings and misinterpretations:
1. In February 1996 my paper "Cryptanalysis of MD4" appeared (Fast Software
Encryption, Cambridge Proceedings, Lecture Notes in Computer Sciences,
vol. 1039, Springer-Verlag, 1996, pp. 71-82). In this paper, as an example two
versions of a contract are given with the same MD4 hash value. Alf sells his
house to Ann, in the first version the price is $176,495 and in the second it is
$276,495. The contracts have been prepared by Alf. Now if Ann signs the first
version with $176,495 then Alf can altered to price to $276.495 ...
In principle this risk occurs, if you use a hash function for which (senseful) collisions
can be found, whenever you allow another person to have influence on the
contents of a document you are signing. Certainly this does not happen
very often in practical applications. But sometimes you *must* have an agreement
about a text (contract) which is then signed by two or more parties. And these are
often just the most important applications!
2. I suspect that the recent attack on MD5 compress can be refined and extended
such that it might lead to MD5 collisions (matching the right IV) and perhaps then
even to similar results as already obtained for MD4. Certainly this requires a lot of
hard additional work.
3. If you write a message for your own (nobody else has influence on it) and sign
it using MD5 (and a strong public key algorithm, of course) then there is no danger
that it can be altered (at least according to our knowledge today)! Thus it is true
that I guess almost all of you will have no risk using MD5, for instance in PGP.
However, if you accept 2., then in some cases there could be problems ...
4. After all I have reservations against keeping MD5 as a (de facto) standard,
because 2. might indicate that there is a serious security problem with MD5.
5. My conclusions are: no reason for panic, but in future implementations better
move away from MD5.
6. Presently a paper discussion the status of MD5 in detail is in preparation.
- Hans Dobbertin